PhantomRaven was detected by researchers at Koi Security and includes packages that mimic legitimate projects, and many are the result of AI hallucinated recommendations (“slopsquatting”). Slopsquatting occurs when developers ask LLMs to suggest packages for a project, and the AI assistants recommend non-existent package names that appear legitimate. The researchers say that some malicious packages impersonate GitLab or Apache tools. Most of them are still present on the npm platform at the time of writing.
Overview of the attack
The packages used in the PhantomRaven campaign leverage a remote dynamic dependencies (RDD) system where they declare zero dependencies, but automatically fetch payloads from external URLs during installation. The mechanism fetches packages and executes them automatically when running ‘npm install’, and requires no user interaction. The “side-loaded” payload profiles the infected device to determine the target’s value, and searches the victim’s environment variables for email addresses. Most worryingly, the malware collects tokens for NPM, GitHub Actions, GitLab, Jenkins, and CircleCI, which could be used to introduce malicious changes into other projects and potentially launch supply chain attacks.